6.1.1.3.2.15. linotp.lib.ocra module

‘ocrasuite’ in unit tests:

OcraSuite-1:HOTP-SHA1-6:QN08 OcraSuite-1:HOTP-SHA256-8:QA08 OcraSuite-1:HOTP-SHA256-8:QN08-PSHA1

OcraSuite-1:HOTP-SHA512-8:C-QN08 OcraSuite-1:HOTP-SHA256-8:C-QN08-PSHA1

OcraSuite-1:HOTP-SHA512-8:QN08-T1M OcraSuite-1:HOTP-SHA512-8:QA10-T1M

When computing a response, the concatenation order is always the following:

C | OTHER-PARTY-GENERATED-CHALLENGE-QUESTION | YOUR-GENERATED-CHALLENGE-QUESTION | P| S | T

If a value is empty (i.e., a certain input is not used in the computation) then the value is simply not represented in the string.

The counter on the token or client MUST be incremented every time a new computation is requested by the user. The server’s counter value MUST only be incremented after a successful OcraSuite authentication.

CLIENT SERVER

(PROVER) VERIFIER)

|

Verifier sends challenge to prover |

Challenge = Q |

|<—————————————| | | | Prover Computes Response | | R = OcraSuite(K, {[C] | Q | [P | S | T]}) | | Prover sends Response = R | |—————————————>| | | | Verifier Validates Response | | If Response is valid, Server sends OK | | If Response is not, Server sends NOK | |<—————————————| | |

CLIENT SERVER

(PROVER) (VERIFIER)

|

1. Client sends client-challenge |

QC = Client-challenge |

|————————————————->| | | | 2. Server computes server-response | | and sends server-challenge | | RS = OcraSuite(K, [C] | QC | QS | [S | T]) | | QS = Server-challenge | | Response = RS, QS | |<————————————————-| | | | 3. Client verifies server-response | | and computes client-response | | OcraSuite(K, [C] | QC | QS | [S | T]) != RS -> STOP | | RC = OcraSuite(K, [C] | QS | QC | [P | S | T]) | | Response = RC | |————————————————->| | | | 4. Server verifies client-response | | OcraSuite(K, [C] | QS | QC | [P|S|T]) != RC -> STOP | | Response = OK | |<————————————————-| | |

class linotp.lib.ocra.OcraSuite(ocrasuite, secretObject=None)

OCRA-1:HOTP-SHA1-6:QN08 OCRA-1:HOTP-SHA256-8:QA08 OCRA-1:HOTP-SHA256-8:QN08-PSHA1

OCRA-1:HOTP-SHA512-8:C-QN08 OCRA-1:HOTP-SHA256-8:C-QN08-PSHA1

OCRA-1:HOTP-SHA512-8:QN08-T1M OCRA-1:HOTP-SHA512-8:QA10-T1M

checkOtp(passw, counter, window, ocraChallenge, pin='', options=None, timeshift=0)

check the given passw

Parameters:

• passw – the otp to verified
• counter – the start counter from the token
• window – the range, within the counter should be checked
• challenge – the ocra challenge, which goes into the otp calculation
• pin – the ocra token pin
• options – support to identifies nonsequential otp verification
• timeshif – for timebased tokens we support time offsets

Returns:

counter of match - otherwise -1

combineData(C=None, Q=None, P=None, P_digest=None, S=None, T=None, T_precomputed=None, Qsc=None)

compute(data, key=None)

Compute an HOTP digest using the given key and data input and following the current crypto function description.

data2hashChallenge(data)

data2randomChallenge(data)

build a random challenge according to the challenge definition

data2rawChallenge(data)

signData(data, key=None)

linotp.lib.ocra.bytearray_to_bytes(a_bytearray)

linotp.lib.ocra.dec(h, p)

linotp.lib.ocra.int2beint64(i)

linotp.lib.ocra.is_int(v)

linotp.lib.ocra.main()

linotp.lib.ocra.truncated_value(h)